Generate your stake pool keys

A stake pool needs at least 2 running nodes: A block-producing node and a relay node.

We need to setup our block-producing node. You can build the node from source or maintain a single build on your local machine and only upload the binaries to your block-producing and relay servers. Just make sure you have consistent versions across them.

network diagram

The block-producing node will only connect with it’s relay, while the relay will establish connections with other relays in the network. Each node must run in an independent server.

Basic block-producing node firewall configuration:

  • Make sure you can only login with SSH Keys, not password.

  • Make sure to setup SSH connections in a port different than the default 22

  • Make sure to configure the firewall to only allow connections from your relay nodes by setting up their ip addresses.

Basic relay node firewall configuration:

  • Make sure you can only login with SSH Keys, not password.

  • Make sure to setup SSH connections in a port different than the default 22.

  • Make sure you only have the strictly necessary ports opened.

Creating keys for our block-producing node

WARNING: You may want to use your local machine for this process (assuming you have cardano-node and cardano-cli on it). Make sure you are not online until you have put your cold keys in a secure storage and deleted the files from you local machine.

The block-producing node or pool node needs:

  • Cold key pair,

  • VRF Key pair,

  • KES Key pair,

  • Operational Certificate

Create a directory on your local machine to store your keys:

mkdir pool-keys
cd pool-keys

Generate Cold Keys and a Cold_counter:

cardano-cli shelley node key-gen \
--cold-verification-key-file cold.vkey \
--cold-signing-key-file cold.skey \
--operational-certificate-issue-counter-file cold.counter

Generate VRF Key pair

cardano-cli shelley node key-gen-VRF \
--verification-key-file vrf.vkey \
--signing-key-file vrf.skey

Generate the KES Key pair

cardano-cli shelley node key-gen-KES \
--verification-key-file kes.vkey \
--signing-key-file kes.skey

Generate the Operational Certificate

We need to know the slots per KES period, we get it from the genesis file:

cat mainnet-shelley-genesis.json | grep KESPeriod
> "slotsPerKESPeriod": 3600,

Then we need the current tip of the blockchain:

cardano-cli shelley query tip --mainnet
{
"blockNo": 36929,
"headerHash": "44c2a2be237ea485c15bf2a50c12b4d2aabe6d4233cb1b2131efc080615a17d0",
"slotNo": 906528
}

Look for Tip slotNo value. In this example we are on slot 906528. So we have KES period is 120:

expr 432571 / 3600
> 251

To generate the certificate:

cardano-cli shelley node issue-op-cert \
--kes-verification-key-file kes.vkey \
--cold-signing-key-file cold.skey \
--operational-certificate-issue-counter cold.counter \
--kes-period 120 \
--out-file node.cert

Move the cold keys to secure storage and remove them from your local machine.

The best place for your cold keys is a SECURE USB or other SECURE EXTERNAL DEVICE, not a computer with internet access.

Copy the files to the server:

Copy your VRF keys, KES Keys, and Operational Certificate to your block-producing server. For example:

scp -rv -P<SSH PORT> -i ~/.ssh/<SSH_PRIVATE_KEY> ~/pool-keys USER@<PUBLIC_IP>:~/

> Transferred: sent 3220, received 6012 bytes, in 1.2 seconds
Bytes per second: sent 2606.6, received 4866.8
debug1: Exit status 0

Log in to your server and verify that the files are there:

ls pool-keys

> kes.skey  kes.vkey  node.cert  vrf.skey  vrf.vkey  

Later on we will learn how to register our pool in the blockchain.